Cloudflare Developers•3w ago

Changing User-Agent bypasses bot protection?

It seems that just changing the user agent of a request is bypassing bot protection on my website. This is properly blocked:

while true; do curl  'https://api.merklemap.com/v1/certificates/google.com'; done

while true; do curl  'https://api.merklemap.com/v1/certificates/google.com'; done

This passes with a 100% success rate?

while true; do curl --user-agent 'ok'  'https://api.merklemap.com/v1/certificates/google.com'; done

while true; do curl --user-agent 'ok'  'https://api.merklemap.com/v1/certificates/google.com'; done

Am I missing something? Thanks.

1 Reply

PierreOP•3w ago

Browser integrity check is disabled on my zone So I don't think it's that If sending thousands of requests with curl and "ok" as user-agent is not triggering bot protection, I don't what will 🤷‍♂️ No, it's pretty clear that a curl TLS fingerprint that sends thousands of requests per minute is a bot Lol... 🙂 It was exactly the behavior of this feature as of 1 or 2 years when I was using it for an other product Not going to argue any further, sending thousands of requests from outside a browser is definitely automated traffic, and the product looks broken right now, I'm just going to use something else

Gaming

Programming

Changing User-Agent bypasses bot protection?

Did you find this page helpful?